Table of contents
- NIS 2 national competent authority: a pillar for digital security
- The regulatory basis: from the NIS Directive to NIS 2
- The National Cyber Security Agency as the central authority
- Obligations for operators and providers: toward a common high standard
- A strategic investment in cyber security
- The future challenge: harmonizing security and innovation
NIS 2 national competent authority: a pillar for digital security
The growing complexity of networks and IT systems requires a coordinated approach to network security at both national and international levels.
With the introduction of the EU Directive 2022/2555, also known as NIS 2, European Union member states are tasked with ensuring a high common level of protection for critical infrastructures.
Identifying the competent NIS authorities in Italy has been a top priority for the government, which has defined their competencies in Article 10 of Legislative Decree No. 138 of September 4, 2024.
According to this regulation, in Italy, this responsibility is entrusted to the National Cyber Security Agency (ACN), designated as the National Competent NIS Authority and the single point of contact.
The regulatory basis: from the NIS Directive to NIS 2
The EU Directive 2016/1148, the first European regulatory framework on network and information security, laid the foundation for identifying and protecting essential service operators and digital service providers. However, the evolving threat landscape necessitated stricter harmonization, leading to the adoption of EU Directive 2022/2555 (NIS 2).
In Italy, the implementation of these directives occurred through Legislative Decree No. 65 of May 18, 2018, and the subsequent Legislative Decree No. 138 of September 4, 2024, which assign the ACN a central role in:
- Supervising regulatory implementation
- Regulating security obligations
- Fostering international cooperation within the European Union
The National Cyber Security Agency as the central authority
Under Article 10 of Legislative Decree No. 138 of September 4, 2024, the National Cyber Security Agency is officially recognized as the national competent NIS authority. This designation entails responsibilities such as:
- Identifying essential service operators and digital service providers
- Drafting guidelines and recommendations to ensure network security
- Participating in the NIS Cooperation Group and other European initiatives
- Managing the single point of contact to facilitate cross-border cooperation among authorities
The ACN‘s role extends beyond the national level: it acts as a strategic hub to ensure the operational continuity of highly critical infrastructures and promotes effective information sharing with European and international partners.
Obligations for operators and providers: toward a common high standard
NIS 2 expands the scope compared to the previous directive, encompassing not only essential service operators but also private and public organizations performing highly critical functions. Specifically, the security obligations include:
- Adopting preventive measures against cyberattacks
- Managing network and system risks
- Promptly notifying incidents to the competent NIS authorities
The new regulations demand particular attention from public administration, which must align with European standards to prevent disruptions in essential services.
A strategic investment in cyber security
The designation of the ACN as the national competent NIS authority is more than a formal adjustment. Legislators have allocated annual funding of 2 million euros starting in 2025 to support the agency’s activities. This investment is crucial for ensuring effective regulatory implementation and strengthening network security nationwide.
Additionally, the ACN collaborates with other national competent authorities and European institutions such as ENISA, ensuring that Italy is fully integrated into the European Union’s digital security landscape.
The future challenge: harmonizing security and innovation
Implementing NIS 2 requires a collective effort to balance security and innovation. Essential service operators and digital service providers must comply with increasingly stringent requirements, but this presents an opportunity to enhance user trust in digital services.
The Prime Minister’s office and other Italian institutions are tasked with promoting a culture of cyber security, raising awareness among both public and private sectors about the importance of protecting critical infrastructures.
Questions and answers
- What is the NIS 2 Directive?
EU Directive 2022/2555, or NIS 2, updates the European regulatory framework for the security of critical digital infrastructures. - What is the national competent NIS authority in Italy?
The National Cyber Security Agency, designated under Legislative Decree No. 138 of September 4, 2024. - What are single points of contact?
Structures that facilitate cooperation among member states for managing cyber security at the European level. - Who are the essential service operators?
Organizations providing fundamental services for society, such as energy, transportation, and healthcare. - What are the security obligations?
They include risk management and the prompt notification of incidents to the competent NIS authorities. - What does the NIS Cooperation Group do?
It coordinates member states’ efforts to improve the security of digital infrastructures at the European level. - What are the legal references for NIS in Italy?
The main references are Legislative Decree No. 65 of May 18, 2018, and Legislative Decree No. 138 of September 4, 2024. - What is ENISA’s role in NIS 2?
ENISA provides technical support and promotes cooperation among member states. - What does a high common level of security entail?
Harmonizing security measures to protect critical infrastructures across the European Union. - How is the ACN’s work funded?
With an annual allocation of 2 million euros starting in 2025, as stipulated by Legislative Decree No. 138 of September 4, 2024.
